# Broken Object Level Authorization

Attackers can exploit API endpoints that are vulnerable to broken object-level authorization by manipulating the ID of an object that is sent within the request. Object IDs can be anything from sequential integers, UUIDs, or generic strings. Regardless of the data type, they are easy to identify in the request target (path or query string parameters), request headers, or even as part of the request payload. This issue is extremely common in API-based applications because the server component usually does not fully track the client’s state, and instead, relies more on parameters like object IDs, that are sent from the client to decide which objects to access. The server response is usually enough to understand whether the request was successful.

## Vulnerable Code <a href="#score-1" id="score-1"></a>

The below code snippet is vulnerable to broken object-level authorization. It uses a user's username directly from the request URL to query the database without implementing any additional authorization checks to verify if the requesting user has permission to access the specified user's data. This flaw can allow an attacker possessing a valid JWT token to access any user's information by simply changing the `username` parameter in the request path.&#x20;

```python
@router.get("/users/{username}", dependencies=[Depends(JWTBearer())])
async def get_user_by_username(username: str, db: Session = Depends(get_db)):
    user = await get_user_by_username_handler(db, username)
    if user:
        return JSONResponse(status_code=200, content={"status": "success", "message": "User retrieved successfully", "data": jsonable_encoder(user)})
    return JSONResponse(status_code=404, content={"status": "error", "message": "User not found"})
```

```python
async def get_user_by_username_handler(db: Session, username: str):
    '''
    Get user by username
    '''
    return db.query(UserModel).filter(UserModel.username == username).first()
```

## Vulnerable APIs

**(Customer) Get User by Username**

<https://apidoc.fvb.vchan.in/#1632033e-c60b-463e-bc86-8f2ea2c63531>

**(Customer) Get Accounts by Username**

<https://apidoc.fvb.vchan.in/#eeef80ab-865a-4505-9f7e-b64751b2a57a>

**(Admin) Get User**

<https://apidoc.fvb.vchan.in/#c641a5f1-4a3f-4a56-98c5-a8a1db5b92f0>

**(Admin) Delete User**

<https://apidoc.fvb.vchan.in/#61151994-3d0e-475e-9bd6-9f0e08e0f3e2>

## Compliance[​](https://docs.escape.tech/testing/vulnerabilities/access_control/bola#compliance) <a href="#compliance" id="compliance"></a>

* OWASP: **API1:2023**
* PCI: **6.5.8**
* GDPR: **Article-32**
* SOC2: **CC1**
* ISO27001: **A.9.4**
* NIST: **SP800-53**

## CWE & CVSS <a href="#score-1" id="score-1"></a>

* CWE: **863**
* CVSS VECTOR: **CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C**
* CVSS SCORE: **5.1**


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://fvb.vchan.in/api-vulnerabilities/broken-object-level-authorization.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.